search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.72k stars 463 forks source link

Symbols are not picked up #1132

Open nallamuthu opened 7 months ago

nallamuthu commented 7 months ago

Describe the bug I am trying to perform memory analysis for below NTOSKRNL version windows 11 machine. I downloaded the symbols from Microsoft and converted. But when I try to perform analysis, this symbol file is not picked up and ends with error only. Please help

NTOSKRNL version: 10.0.22631.3155 GUID: 2A832A6884144D88C39DB4B4DB66D71C Download URL: http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/2A832A6884144D88C39DB4B4DB66D71C1/ntkrnlmp.pdb Command executed: pdbconv.py -f AA01AAFDC219D45494EC3D2B7B8A08C6E875546DA5BB9D0873716C1A097DC56B00.blob -o 2A832A6884144D88C39DB4B4DB66D71C-1.json.xz

Context Volatility Version: 3 Operating System: 10.0.22631.3155 Python Version: 3 Suspected Operating System: 10.0.22631.3155

Example output Volatility 3 Framework 2.5.2 Progress: 100.00 PDB scanning finished Unsatisfied requirement plugins.Info.kernel.layer_name: Unsatisfied requirement plugins.Info.kernel.symbol_table_name:

A translation layer requirement was not fulfilled. Please verify that: A file was provided to create this layer (by -f, --single-location or by config) The file exists and is readable The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled. Please verify that: The associated translation layer requirement was fulfilled You have the correct symbol file for the requirement The symbol file is under the correct directory or zip file The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.kernel.layer_name', 'plugins.Info.kernel.symbol_table_name']

eve-mem commented 7 months ago

Could you add the log from vol with -vvvvv added before the plugin name. It really helps when working out issues.

It would also be useful to see the output of the isfinfo plugin

nallamuthu commented 7 months ago

Volatility 3 Framework 2.7.0 INFO volatility3.cli: Volatility plugins path: ['/home/analyst1/volatility3/volatility3/plugins', '/home/analyst1/volatility3/volatility3/framework/plugins'] INFO volatility3.cli: Volatility symbols path: ['/home/analyst1/volatility3/volatility3/symbols', '/home/analyst1/volatility3/volatility3/framework/symbols'] DEBUG volatility3.framework: Traceback (most recent call last): File "/home/analyst1/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.11/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "", line 1204, in _gcd_import File "", line 1176, in _find_and_load File "", line 1147, in _find_and_load_unlocked File "", line 690, in _load_unlocked File "", line 940, in exec_module File "", line 241, in _call_with_frames_removed File "/home/analyst1/volatility3/volatility3/framework/plugins/windows/lsadump.py", line 8, in from Crypto.Cipher import ARC4, DES, AES ModuleNotFoundError: No module named 'Crypto'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.lsadump based on file: /home/analyst1/volatility3/volatility3/framework/plugins/windows/lsadump.py DEBUG volatility3.framework: Traceback (most recent call last): File "/home/analyst1/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.11/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "", line 1204, in _gcd_import File "", line 1176, in _find_and_load File "", line 1147, in _find_and_load_unlocked File "", line 690, in _load_unlocked File "", line 940, in exec_module File "", line 241, in _call_with_frames_removed File "/home/analyst1/volatility3/volatility3/framework/plugins/windows/cachedump.py", line 8, in from Crypto.Cipher import ARC4, AES ModuleNotFoundError: No module named 'Crypto'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.cachedump based on file: /home/analyst1/volatility3/volatility3/framework/plugins/windows/cachedump.py DEBUG volatility3.framework: Traceback (most recent call last): File "/home/analyst1/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.11/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "", line 1204, in _gcd_import File "", line 1176, in _find_and_load File "", line 1147, in _find_and_load_unlocked File "", line 690, in _load_unlocked File "", line 940, in exec_module File "", line 241, in _call_with_frames_removed File "/home/analyst1/volatility3/volatility3/framework/plugins/windows/hashdump.py", line 10, in from Crypto.Cipher import AES, ARC4, DES ModuleNotFoundError: No module named 'Crypto'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.hashdump based on file: /home/analyst1/volatility3/volatility3/framework/plugins/windows/hashdump.py INFO volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.cachedump, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump DETAIL 3 volatility3.cli: Cache directory used: /home/analyst1/.cache/volatility3 INFO volatility3.framework.automagic: Detected a windows category plugin INFO volatility3.framework.automagic: Running automagic: ConstructionMagic DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic DETAIL 3 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler DETAIL 2 volatility3.framework.automagic.symbol_cache: Identified file:///home/analyst1/volatility3/volatility3/symbols/2A832A6884144D88C39DB4B4DB66D71C-1.json as b'ntkrnlmp.pdb|2A832A6884144D88C39DB4B4DB66D71C|1' DETAIL 2 volatility3.framework.automagic.symbol_cache: Identified file:///home/analyst1/volatility3/volatility3/symbols/2A832A6884144D88C39DB4B4DB66D71C-1.json.xz as b'ntkrnlmp.pdb|2A832A6884144D88C39DB4B4DB66D71C|1' INFO volatility3.framework.automagic: Running automagic: LayerStacker DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker INFO volatility3.schemas: Dependency for validation unavailable: jsonschema DEBUG volatility3.schemas: All validations will report success, even with malformed input INFO volatility3.schemas: Dependency for validation unavailable: jsonschema DEBUG volatility3.schemas: All validations will report success, even with malformed input DETAIL 2 volatility3.framework.automagic.stacker: Stacked WindowsCrashDump64Layer using WindowsCrashDumpStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows DEBUG volatility3.framework.automagic.windows: Older windows fixed location self-referential pointers DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: WindowsCrashDump64Layer DETAIL 1 volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer DEBUG volatility3.framework.automagic.stacker: physical_layer maximum_address: 4293824511 DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['WindowsCrashDump64Layer', 'FileLayer'] INFO volatility3.framework.automagic: Running automagic: WinSwapLayers INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name INFO volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan INFO volatility3.framework.automagic: Running automagic: SymbolFinder INFO volatility3.framework.automagic: Running automagic: KernelModule DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name

Unsatisfied requirement plugins.Info.kernel.layer_name: Unsatisfied requirement plugins.Info.kernel.symbol_table_name:

A translation layer requirement was not fulfilled. Please verify that: A file was provided to create this layer (by -f, --single-location or by config) The file exists and is readable The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled. Please verify that: The associated translation layer requirement was fulfilled You have the correct symbol file for the requirement The symbol file is under the correct directory or zip file The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.kernel.layer_name', 'plugins.Info.kernel.symbol_table_name']

nallamuthu commented 7 months ago

After the crypto issue resolved.

Volatility 3 Framework 2.7.0 INFO volatility3.cli: Volatility plugins path: ['/home/analyst1/Tools/vol3/volatility3/plugins', '/home/analyst1/Tools/vol3/volatility3/framework/plugins'] INFO volatility3.cli: Volatility symbols path: ['/home/analyst1/Tools/vol3/volatility3/symbols', '/home/analyst1/Tools/vol3/volatility3/framework/symbols'] DETAIL 3 volatility3.cli: Cache directory used: /home/analyst1/.cache/volatility3 INFO volatility3.framework.automagic: Detected a windows category plugin INFO volatility3.framework.automagic: Running automagic: ConstructionMagic DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic INFO volatility3.framework.automagic: Running automagic: LayerStacker DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 3 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker INFO volatility3.schemas: Dependency for validation unavailable: jsonschema DEBUG volatility3.schemas: All validations will report success, even with malformed input INFO volatility3.schemas: Dependency for validation unavailable: jsonschema DEBUG volatility3.schemas: All validations will report success, even with malformed input DETAIL 2 volatility3.framework.automagic.stacker: Stacked WindowsCrashDump64Layer using WindowsCrashDumpStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows DEBUG volatility3.framework.automagic.windows: Older windows fixed location self-referential pointers DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: WindowsCrashDump64Layer DETAIL 1 volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer DEBUG volatility3.framework.automagic.stacker: physical_layer maximum_address: 4293824511 DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['WindowsCrashDump64Layer', 'FileLayer'] INFO volatility3.framework.automagic: Running automagic: WinSwapLayers INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name INFO volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan INFO volatility3.framework.automagic: Running automagic: SymbolFinder INFO volatility3.framework.automagic: Running automagic: KernelModule DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name

Unsatisfied requirement plugins.Info.kernel.layer_name: Unsatisfied requirement plugins.Info.kernel.symbol_table_name:

A translation layer requirement was not fulfilled. Please verify that: A file was provided to create this layer (by -f, --single-location or by config) The file exists and is readable The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled. Please verify that: The associated translation layer requirement was fulfilled You have the correct symbol file for the requirement The symbol file is under the correct directory or zip file The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.kernel.layer_name', 'plugins.Info.kernel.symbol_table_name']

nallamuthu commented 7 months ago

Output of isfinfo plugin after removing the duplicate symbol file:

Volatility 3 Framework 2.7.0 INFO volatility3.cli: Volatility plugins path: ['/home/analyst1/Tools/vol3/volatility3/plugins', '/home/analyst1/Tools/vol3/volatility3/framework/plugins'] INFO volatility3.cli: Volatility symbols path: ['/home/analyst1/Tools/vol3/volatility3/symbols', '/home/analyst1/Tools/vol3/volatility3/framework/symbols'] DETAIL 4 volatility3.framework: Importing from the following paths: /home/analyst1/Tools/vol3/volatility3/plugins, /home/analyst1/Tools/vol3/volatility3/framework/plugins DETAIL 4 volatility3.framework: Importing from the following paths: /home/analyst1/Tools/vol3/volatility3/framework/automagic DETAIL 3 volatility3.cli: Cache directory used: /home/analyst1/.cache/volatility3 INFO volatility3.framework.automagic: No plugin category detected DETAIL 4 volatility3.framework: Importing from the following paths: /home/analyst1/Tools/vol3/volatility3/framework/layers INFO volatility3.framework.automagic: Running automagic: ConstructionMagic DETAIL 4 volatility3.framework: Importing from the following paths: /home/analyst1/Tools/vol3/volatility3/framework/layers INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic DETAIL 4 volatility3.framework.symbols.intermed: Searching for symbols in /home/analyst1/Tools/vol3/volatility3/symbols, /home/analyst1/Tools/vol3/volatility3/framework/symbols INFO volatility3.framework.automagic: Running automagic: LayerStacker DETAIL 4 volatility3.framework: Importing from the following paths: /home/analyst1/Tools/vol3/volatility3/framework/layers INFO volatility3.framework.automagic: Running automagic: WinSwapLayers INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner INFO volatility3.framework.automagic: Running automagic: SymbolFinder INFO volatility3.framework.automagic: Running automagic: MacSymbolFinder INFO volatility3.framework.automagic: Running automagic: LinuxSymbolFinder INFO volatility3.framework.automagic: Running automagic: KernelModule DETAIL 3 volatility3.cli.text_filter: Filters: []

URI Valid Number of base_types Number of types Number of symbols Number of enums Identifying information

file:///home/analyst1/Tools/vol3/volatility3/symbols/2A832A6884144D88C39DB4B4DB66D71C-1.json.xz Unknown 16 1820 44399 361 b'ntkrnlmp.pdb|2A832A6884144D88C39DB4B4DB66D71C|1'

eve-mem commented 7 months ago

Great thanks. Looks like the symbols you made are in the right place and are being picked up, but it's not quite working.

How exactly did you acquire the memory?

nallamuthu commented 7 months ago

using dumpit tool. Tried with 2 option, dump with system privilege and dump with admin privilege. Dumped using FTK imager as well. Same issue.

eve-mem commented 7 months ago

Hello, thank you for the information. Ah t the moment I'm not clear why it isn't working. Perhaps someone else will spot the issue.

Is this memory sample one you can share?

nallamuthu commented 7 months ago

I have taken multiple memory dump using mulitple tools. still the same. Sharing memory dump might not help.

github-actions[bot] commented 1 week ago

This issue is stale because it has been open for 200 days with no activity.